Solved

Help with Security

Posted on 2001-07-11
13
140 Views
Last Modified: 2011-09-20
Can someone point me to some very good resources on designing win2k Security.  I need to limit access to resources over Terminal server connections.  Just looking for some step by step type examples on setting this up. Thanks
0
Comment
Question by:belink
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 12

Expert Comment

by:gidds99
ID: 6274963
Here is a link to Microsofts guide to deploying TS

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/deploy/part4/chapt-16.asp

I will see what else I can find.

Gordon.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 6274991
Also here is Microsofts document on W2K Network Security

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/reskit/deploy/part4/chapt-16.asp

Are these documents the type of thing you are looking for?

Gordon.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 6275003
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 12

Expert Comment

by:gidds99
ID: 6275017
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6275387
Port 3389 in the terminal server port. Basically the best advice is to close as many ports & protocols as possible without totally disabling the required internet services.
-I use tcp/ip filtering in the advanced option of local area connection.
-http://www.softforces.com/ntbook.htm
http://www.sans.org/infosecFAQ/win2000/hardening.htm
0
 
LVL 10

Accepted Solution

by:
blohrer earned 50 total points
ID: 6277942
What specific things are you looking to secure?  Desktop settings?  What options are available to you users?  

Like taking the shudown and restart options away from the users?

Or just how to limit the ports for users to access?  As said above the only port needed open for Terminal Services is 3389, unless you are going to run other services.

I have run W2k Terminal Servers over the internet for 100+ users.  If you are using Active Directory, one of the things I did was setup a Terminal Server OU (organizational unit).  I then modified the group policy on that OU to take things like on the start menu like, RUN, SETTINGS, Shutdown and restart away.  Made like alot easier!!!
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6278189
Use ICA instead of RDP and they can't do much of anything.
0
 

Author Comment

by:belink
ID: 6280853
Wow, Thanks for all the good input to everyone (Im obviously going to have to divy out points to more than one of you, 50 Each of course)

blohrer: You have hit my situation on the head.  I already have the router configured for port 3389 to route to my server.  I love your Idea about the OU.  Thats Probably what I will do.  I need to limit the Desktop settings and take things out of the start menu, Make it so they cannot see drives in My Computer, Things of that nature.  i knew I could use Group Policys to do this, But Im used to working with very small companies and the OU solution did not occur to me.  That seems like it would work.

mikecr: Could you give more detail (In other words, Im not sure what your talking about) I know that TS uses RDP but Im not familiar with ICA.

housenet: Thanks for the articles.  They have helped me learn more about 2000 Security but may be a little more than I need for this application. One Question, When you use the templates (As stated in the sans.org article)  If you apply a template to the machine (a win2k professional box in this case) does it affect ALL users, If not, How do you assign the template to just certain users.  Thanks for your input.

0
 
LVL 10

Expert Comment

by:blohrer
ID: 6280902
No problem belink... I had the same situation.  Just becareful of one thing, if these users are both Term Server users, and local users with Windows2000 workstations, the group policy will be applied to both systems.  I didn't have this problem, but I would suggest if you do, two different logins for this type of user.  One for Terminal Server, and one for their local workstation.  
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6280949
-To view the distinctions between what are user policy settings & computer policy settings, I suggest this.
-Create OU's.
-The properties of an OU has a group policy tab. When you edit the group policy for an OU, the options are seperated by User & computer settings.
-If you Move a user into the OU & this user has read & apply GPO permissions for the policy..the user settings will apply to the user.
-The same applies for computers moved into OU's.


-You can even look at a PC's local policy by typing MMC in run.. Add the snap in for Group policy & choose the option for local policy.
-The basic point is.. When looking at a group policy object, user & computer settings are very obvious because of the way it is organized.
0
 
LVL 10

Expert Comment

by:blohrer
ID: 6281471
Housenet... True but we have users here that will have a policy applied to them.  They MAY login to both a Terminal Server and (i am assuming) a regular Windows2000 PC.  The initial question how to secure a terminal server, taking away certain options.  Most of these options are on the user level.  So if a user needs to be secured on a terminal server (e.g. take away the run start menu item so they can't have access to the local drives via a command prompt) the user policy would also extend to their W2K network machine.

0
 
LVL 12

Expert Comment

by:Housenet
ID: 6281510
blohrer sounds good to me.
0
 

Author Comment

by:belink
ID: 6282757
In Respone, blohrer, The users will only be logging LOCALLY into a win2k Pro box that is not a part of a domain, (just a workstation No server).  They will then initiate a Terminal Server session to a remote TS, So I assume I would only need one logon on the Server side for this. I am going to experiment with this today and see what I can come up with.  Thanks again for the input.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
We take a look at some of the most common obstacles that IT teams run into as they work relentlessly to keep all the alarms and sirens from going off at once.
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question